Key Management for Encrypted Broadcastyash/p107-wool.pdf · NJ 07974; email: [email protected]. Permission to make digital/hard copy of part or all of this work for personal

Key Management for Encrypted Broadcast

AVISHAI WOOLLucent Technologies

We consider broadcast applications where the transmissions need to be encrypted, such asdirect broadcast digital TV networks or Internet multicasts. In these applications the numberof encrypted TV programs may be very large, but the secure memory capacity at the set-topterminals (STT) is severely limited due to the need to withstand pirate attacks and hardwaretampering. Despite this, we would like to allow the service provider to offer different packagesof programs to the users. A user who buys a package should be able to view every programbelonging to that package, but nothing else. A flexible scheme should allow for packages ofvarious sizes to be offered, from a single program up to all the programs. We suggest two novelschemes to manage the encryption keys for these applications. The schemes are highlyflexible, and understandable to users, yet require very few keys to be stored in the STTs’secure memory. The computational power required of the STTs is very low. The security ofthese schemes is as good or better than that offered by current technology.

Categories and Subject Descriptors: C.3 [Computer Systems Organization]: Special-Pur-pose and Application-Based Systems—Smartcards; E.3 [Data]: Data Encryption

General Terms: Security

Additional Key Words and Phrases: Conditional access, pay-per-view

1. INTRODUCTION

1.1 The Problem

The domain we consider in this paper is that of broadcast applicationswhere the transmissions need to be encrypted. As a primary example weconsider a direct broadcast digital TV network, broadcasting either viasatellite or via cable, but other applications such as Internet multicasts aresimilar. The reason encryption is needed is to ensure that only payingcustomers, who have the required keys, will be able to view the programs-[Macq and Quisquater 1995].

A preliminary version of this paper appeared in the 5th ACM Conference on Computer andCommunication Security (1998).Author’s address: Bell Laboratories, Lucent Technologies, 700 Mountain Ave., Murray Hill,NJ 07974; email: [email protected] to make digital / hard copy of part or all of this work for personal or classroom useis granted without fee provided that the copies are not made or distributed for profit orcommercial advantage, the copyright notice, the title of the publication, and its date appear,and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, torepublish, to post on servers, or to redistribute to lists, requires prior specific permissionand / or a fee.© 2000 ACM 1094-9224/00/0500–0107 $5.00

ACM Transactions on Information and System Security, Vol. 3, No. 2, May 2000, Pages 107–134.

In this context, the head-end broadcasts the encrypted TV programs to alarge population of users. Each network user has a set-top terminal (STT),which receives the encrypted broadcast and decrypts the programs that theuser is entitled to. The secret information which is stored inside a user’sset-top terminal (keys and access control data) is collectively called anentitlement.

Because of extensive piracy, these STTs need to contain a secure chip,either directly or on a smart-card, which includes secure memory for theentitlements. This memory should be non-volatile, writable (since keys arechanged every billing period), and tamper-resistant (so the pirates will findit difficult to read its contents). As a result of these requirements, STTshave severely limited secure memory, typically in the range of a fewKilobyte [Gem 1998]. On the other hand, the number of programs that maybe broadcast during a billing period can be large, say 200,000 or more. Theproblem we are faced with is how to manage the keys for such anapplication. We are trying to achieve the following two goals:

(1) Flexibility: We would like to allow the TV network to offer manydifferent packages of programs to the users. A user who buys a packageshould be able to view every program belonging to that package, butnothing else. A flexible scheme should allow for packages of varioussizes, from a single program up to all the programs. This flexibilityshould be obtained under the constraint that the STTs can only storevery few keys. Another aspect of a scheme’s flexibility is the ability tomake the packaging simple and understandable in user terms.

(2) Security: Piracy is a major concern, so all the components of thescheme must be made secure. We must certainly ensure that it isinfeasible to attack the encryption algorithms directly. In addition, weshould not completely trust the “tamper-resistance” of the STTs. This isnecessary since pirates have been notoriously successful in tamperingwith these devices. A good scheme is one where if the pirates break intoan STT they would not be able to decrypt more than what that STT’sowner was entitled to.

1.2 Contributions

In this paper we describe key management schemes which achieve theflexibility and security goals we set for ourselves, and which use very littlesecure memory in the STTs. The computational power required of the STTsby the schemes is very low. The security of these schemes is as good orbetter than that offered by current technology. Thus, they offer practicaland applicable solutions.

Before presenting the new schemes, we start by describing a simple“straw-man” scheme called ExtHeader. This is a variant of the well known“encrypt the session key with the user key” technique. Despite its simpli-city, the scheme is apparently not in current use by pay-TV providers. Themost commonly used schemes seem to be significantly less secure than theExtHeader scheme. The scheme works by adding header information to each

108 • A. Wool

ACM Transactions on Information and System Security, Vol. 3, No. 2, May 2000.

broadcast program. Using it, any predefined set of programs can be a package.Thus the scheme has full flexibility—although the length of the headerinformation grows with the number of packages. If the number of predefinedpackages is not too large then ExtHeader may be a reasonable choice.

The contributions of this paper are the Vspace scheme and the Treescheme. Both schemes provide a high degree of flexibility in the creation ofprogram packages, essentially without adding any overhead to the trans-mission. Moreover, the packages need not be predefined completely, and tosome extent may be customized to fit a user’s individual taste. The price wepay for this freedom is that not every arbitrary set of programs may be apackage (e.g., in the Vspace scheme packages can only be of 1, 3, 7, 15,. . . , 2n21 programs). Among the two schemes, Vspace is the speedier one:In a typical configuration the STT can compute a Vspace key by 32 XORoperations of 128-bit words. The Tree scheme, which is also very efficient(but requires somewhat more CPU power than Vspace) is more secure: Ithas the added advantage that it is provably secure if we make some assump-tions about its central component, which is a cryptographic hash function.

Note that if a pirate is able to pry open an STT which is entitled to all theprograms and to extract the secret information from it, then our schemesoffer the same level of security offered by existing schemes. However, ourschemes are stronger in that they do not allow the pirate to “upgrade” anSTT from a cheap package to an expensive one by low cost chip rewritingattacks (cf. Anderson and Kuhn [1997]). In our schemes, if an STT is notentitled to decode a certain program, then the decryption key does not existin the STT—it is not merely “masked off”, as is the case in existingschemes. In other words, we prevent the type of tampering recentlypublicized in the Internet browser arena, in which a few bits in theexecutable files of browsers with “international-grade” security werepatched to activate dormant “US-grade” security code [Fort 1998], thusbypassing US export restrictions. Moreover, unlike current schemes, breakinginto an STT that is not fully entitled does not compromise our schemecompletely.

The rest of this paper is structured as follows. We review some relatedwork in Section 2. In Section 3 we describe the ExtHeader scheme. TheVspace scheme is presented in Sections 4 and 5. The Tree scheme ispresented in Section 6. The security of all three schemes is discussed inSection 7. In Section 8, we analyze the addressing power of the Vspace andTree schemes, and we conclude with some directions for future work inSection 9.

2. RELATED WORK

2.1 The Bit-Vector Scheme

This is the most popular access control scheme in current use. It is used bymost of the analog European satellite TV systems such as the Sky VideoCryptsystems [McCormac 1996], and also by the US digital DirectTV system [Dir1998; McCormac 1996].

Key Management for Encrypted Broadcast • 109


In this scheme, all the programs are encrypted with the same key, whichis stored in every STT. To control the user’s access to the programs, theSTT also stores additional data, which we can abstractly view as abit-vector b which has an entry for each program. The STT decrypts aprogram p only if b@p# 5 1. Thus the scheme has full flexibility, since theuser can buy any set of programs as a package.

However, it has two major disadvantages. First, the access control isnon-cryptographic. Therefore if the pirates can overwrite the bit-vectorwith an all-1 vector, the STT will decrypt every program and bypass theaccess control entirely. Pirates have reportedly taken advantage of thisweakness in existing systems [McCormac 1996]. Secondly, the schemeneeds to store the bit-vector in secure memory. Therefore, the size of thebit-vector may become prohibitive when the number of programs is large.

2.2 The Block-by-Block Scheme

In this scheme, the programs are split into n disjoint blocks. All theprograms belonging to a block are encrypted using the same key. The STTstores the keys for each block that the user buys. According to the pirates’reports, such a system has been used in the D2-MAC EuroCrypt system[McCormac 1996, pp. 4–11].

The block-by-block scheme is more secure than the bit-vector schemesince the access control is cryptographic. In addition the secure memoryrequirements are small; at most n keys need to be stored. The maindrawback of this scheme is its poor flexibility, since a user cannot buy lessthan a large block of programs. Moreover, a program which is required tobelong to several blocks incurs a high overhead. Such a program needs tobe reencrypted with multiple block keys, and retransmitted separately foreach block.

A possible remedy is to split the programs into many blocks whichcontain only a few programs each, or even to have a single program perblock. But then the amount of secure memory in the STT limits themaximal number of block keys that a user may buy, and in particular auser may be unable to buy the set of all programs as a package. So theremedy may be worse than the original problem.

2.3 Types of Keys and User Revocation

Pay-TV systems typically have multiple types of keys. The key types differaccording to the length of time that the key material needs to be used. Thethree main key types are: Establishment keys (that can only be refreshedby replacing the smartcard), periodic keys (that control access during abilling period, say a month), and program keys (that encrypt a singleprogram) [Quisquater 1998].

The longest-lived keys are the establishment keys. These are keys thatare burned into the STT, and need to remain valid and secure for the life ofthe STT (or, more commonly, for the life of the smartcard). Replacing suchkeys is expensive to the provider, so their lifetime is measured in many

110 • A. Wool


months or even years. Thus the allocation of these keys needs to give theprovider the ability to revoke or exclude users, and collusions of users,without the need to replace paying customers’ smartcards. A large body ofliterature deals with methods of allocating these establishment keys tousers, starting with the seminal work of Fiat and Naor [1994], andextended in Blundo and Cresti [1994]; Blundo et al. [1998]; Luby andStaddon [1998]; Abdalla et al. [2000]; Garay et al. [2000], and others.

Between the long lived establishment keys and the individual programkeys we have periodic keys. These are keys that control the access to thecontent that is broadcast in a particular billing period (say a month).Access to the actual program keys is only available to users with thecurrent periodic key. The periodic keys are distributed to paying customersusing the long-lived establishment keys. Revoking non-paying users is doneby simply not giving them next month’s key. This revocation method doesnot provide backward security, and is not immediate (a user can only berevoked at the end of the month), however, it is very cheap to implement.The remaining, paying, customers are not impacted at all when users arerevoked. Recently, there has been significant work on schemes that providemuch tighter revocation capabilities, which are appropriate for small usergroups (cf. Moyer et al. [1999]). However, the simpler scheme based onperiodic keys is much better suited for the huge subscriber bases of pay-TVsystems (see Briscoe [1999] for more details). In this paper we dealprimarily with the organization and usage of the periodic keys.

2.4 How to Transfer Keys to the STTs?

A related question is how to transfer the periodic key information to theset-top terminals at the beginning of each billing period in a secure andefficient way. Two types of solutions can be found in the literature, whichdiffer in the communication model they assume.

In the first model, the only type of communication between the head-endand STTs is the unidirectional broadcast. This model is accurate forexisting European systems. Under this model, Fiat and Naor [1994] sug-gested methods of securely broadcasting key information such that only aselected set of users can decrypt this information while coalitions of up to kother users can learn nothing. The new periodic key is encrypted using asubset of the establishment keys, that legitimate paying users have, and isbroadcast to all the users. However, excluded users will not be able todecrypt the new periodic key since they lack the necessary establishment keys.

In the second model, the STTs also have an uplink capability (e.g., via aphone line or cable-modem). This is realistic since most new U.S.-basedsystems have such a “callback” feature. In the design described in Cohen etal. [1995], the head-end runs a secure and authenticated protocol withevery STT each billing period. During this protocol key information isdownloaded to the STT, and pay-per-view data is uploaded. This architec-ture offers better security than the one based on unidirectional communi-cation in that it limits a pirate’s ability to obtain secret keys: They are



never broadcast. The architecture also allows additional security checks tobe piggybacked onto the key download, such as tracking the location of theSTT [Gabber and Wool 1999].

2.5 Alternative Approaches

Key management schemes which have full flexibility (i.e., allowing users toaccess any set of programs they wish) can be found in Chick and Tavares[1990] and Halevi and Petrank [1995]. However, their techniques rely onRSA public-key cryptography [Rivest et al. 1978], and therefore are notconsidered to be applicable in our scenario. This is mostly since therecommended key lengths of public keys, i.e., 1024 bits (cf. Schneier[1996]), would severely tax the limited secure memory of the STT (typically2–8KB for commercially available smart-card based boxes [Gem 1998]),and since RSA computations are typically not fast enough to control thevideo access on slow smartcard CPUs.

Protocols for conference key distribution [Chiou and Chen 1989; Berko-vits 1991; Gong 1994] have more stringent security requirements than wedo here, such as verifying the key’s authenticity and repelling replayattacks. Moreover, they do not address our main constraint, which is thelimited secure storage of the STTs.

3. THE EXTENDED-HEADER SCHEME

3.1 The Scheme

We start by describing a simple scheme which we denote by ExtHeader.The main idea in this scheme is that we attach cryptographic headerinformation to each program. By transmitting more data we can overcomethe limited secure storage at the STTs. The scheme is a variation of thewell known “encrypt the session key using a user key” technique. However,instead of having a separate key for each user, we arrange the programsinto predefined packages, and each package has a key. Each program maybelong to many packages, and each user may have the keys to multiplepackages.

Suppose that a program p belongs to t packages. Then the transmissionof p consists of the encrypted program itself, and a list of t header blocks.Each header block H contains two fields: the package identifier field H.IDand the key field H.Key. When the ID field contains the package identifierj, then the Key field contains Esj~Kp!, which is the program key Kp

encrypted using the package key sj (see Figure 1). We say that the programkey Kp is covered using the package key sj.

Note that the encryption used for the programs may be different from theencryption used to cover the keys. The former needs to allow real-time

Fig. 1. The headers of a program p which belongs to packages i1, . . . , it.

112 • A. Wool


decryption of a video stream, while the latter only encrypts short butpotentially more sensitive keys.

The ExtHeader scheme is already a big improvement over the block-by-block scheme in terms of flexibility, since any set of programs mayconstitute a package. Its simplicity is another attractive feature.

3.2 Decreasing the Header Bandwidth

A drawback of the ExtHeader scheme is the amount of additional data thatis transmitted. If a program p belongs to t packages, then the schemerequires t 3 ~?H.ID? 1 ?H.Key?! header bits to be transmitted along withp. For example, if the size of a header block is 160 bits and assuming aprogram may belong to 64 packages, this amounts to an extra 1280 bytesper program.

A few extra KB of headers may seem negligible in comparison to the sizeof a typical video clip. However, note that this header information shouldbe transmitted fairly frequently. This is due to the fact that when Aliceswitches to view program p the STT needs to wait until p’s next header isreceived before it can start decrypting. Infrequent header transmissionwould cause Alice to notice delay when she switches channels. Thereforethe scheme has a design tradeoff between the bandwidth allocated toheader transmission, and the delay a user would incur when switchingchannels. Since tolerable delays are measured in fractions of a second, thebandwidth overhead may be significant.

Moreover, bandwidth allocated to cryptographic headers should not becompared to the bandwidth allocated to programs but rather to thatallocated to other types of control information. Direct broadcasting opera-tors are usually reluctant to add more overhead bandwidth since it cannotbe billed for, and may potentially decrease the number of TV channels thatcan be packed into a single satellite transponder [Shamir 1998]. Thuscommercial considerations may make this scheme unattractive in its basicform.

To overcome this problem, we suggest the following mechanism. Assumethat the STT is powered up and receiving the broadcast transmissioncontinuously (even when the TV is turned off). Assume further that inaddition to its small secure memory, the STT has access to a large insecurememory, e.g., banks of low-cost RAM. Then the STT can use this RAM as akey cache and thereby reduce the frequency of header transmission.

The STT needs to receive the broadcast continuously and scan all thechannels for header blocks. For every transmitted program p, if one of itsheader blocks belongs to a package that the user is entitled to, the STTcopies the block into the cache. We then say that the header block wascaptured by the STT. When Alice switches to program p the requiredheader block will already be in the cache, provided that the STT wasoperational long enough to capture it. Therefore a noticeable delay will onlyoccur when the STT is powered up for the first time, or when Aliceattempts to switch to a program she is not entitled to. Using this capturing



mechanism, we can choose the frequency of header transmissions based onthe tolerable power-up delay, which may be on the order of several seconds.

Note that the headers are copied to the cache without decrypting theirKey field. The program keys are uncovered inside the secure chip onlywhen Alice switches to a specific program. Thus the only information apirate can obtain by reading the (insecure) cache is the list of programsthat Alice is entitled to. The actual data placed in the cache can just aseasily be extracted from the broadcast transmission itself.

An alternative mechanism would be to designate a fixed channel whichwould repeatedly broadcast the header information of all the programs forthe next hour (say). Such a fixed channel, called a Barker channel, mayalready exist in the system (e.g., serving as a directory listing). If this is thecase, then the extra header bandwidth may be “for free” in some sense,since the Barker channel is not used to broadcast program contents.

4. THE VSPACE SCHEME

4.1 Overview

In the ExtHeader scheme we needed to attach large headers to eachprogram in order to achieve flexibility in packaging the programs. In theVspace scheme we achieve comparable flexibility essentially without at-taching any extra headers.

The only piece of information we attach to a program’s transmission is asingle n-bit cryptographic identifier, or CID. However, this CID is notchosen arbitrarily. We shall see that imposing a specific structure on theseidentifiers is crucial to the scheme’s usefulness.

The program encryption keys cannot be chosen arbitrarily either. Theencryption key of a program p is a function of its CID and of secret datastored at the head-end. The STT recomputes the key using the transmittedCID and its own secret data. However, the secret data stored in the STTonly allows the decryption of programs with certain CIDs, namely thosewhich belong to the package the user buys.

Finally, the Vspace scheme does not allow every arbitrary collection ofprograms to be a package. One simple restriction is that only collections of1, 3, 7, . . . , 2n21 programs may constitute a package.1 However, weargue that the large variability in package size, from a single programpackage up to all the programs, gives sufficient flexibility.

In the rest of this paper we identify a program with its CID, and referinterchangeably to either a “program p” or a “program with CID p”.

The Vspace scheme is parameterized by two numbers. The length (inbits) of a CID is denoted by n, and the length of an encryption key isdenoted by k. We require that k . n for the scheme to work. A convenientvalue for n is n 5 32, as this size allows a program’s CID to be placed in

1More precisely, a package consists of programs with 2r21 CIDs; note that it is possible toassign the same CID to multiple programs.

114 • A. Wool


the ECM [Entitlement Control Message] field defined in the MPEG-2standard [MPEG2 1994]. For sake of concreteness we can think of usingencryption keys of length k 5 64 or k 5 128 bits.

The Vspace scheme relies on basic results of linear algebra. A goodreference book for the required mathematical background is Birkhoff andMacLane [1977]. We use boldface letters to denote program CIDs, which weview as n-bit vectors over GF~2!2 We use capital letters to denote matricesover GF~2!.

4.2 How it Works

For readers that are comfortable with linear algebra, we provide a succinctdescription of the scheme’s construction. The head-end has a secret randombinary k 3 n matrix M called the master matrix. The keys for encryptingthe programs are generated from the master matrix as follows. A programwhose CID is p is encrypted using the key

Key~p! 5 Mp. (1)

Program packages are constrained to be linear subspaces of program CIDs.A user that buys such a package receives as her entitlement a (personal-ized, lower-rank) key matrix K, which is computed from the master matrixM by projecting it onto the package’s subspace.

In the following sections we shall go over the details of the scheme,explain why it works, and prove that a user holding the matrix K can onlydecrypt programs whose CIDs fall within the purchased linear subspace.

4.3 Generating the Encryption Keys

At the beginning of every billing period, the head-end chooses a randombinary k 3 n matrix M called the master matrix. The k-bit columns of thematrix M, denoted by m1, . . . , mn, are called the master keys of thescheme. We require the master keys to be linearly independent k-dimen-sional vectors over GF~2!. Therefore the matrix M is n-dimensional. Aprogram whose CID is p is encrypted using the key Key~p! of equation (1).

This method of generating keys as linear combinations of the master keysis similar to the techniques used in Impagliazzo and Naor [1989]; Aiello etal. [1995]; Fischer and Stern [1996] to construct provably secure pseudo-random generators. However, a pseudorandom generator in itself is notsufficient for our purposes; in the next section we show how we capitalizeon the linearity of the scheme in the definitions of the possible packages.

Remarks.

—A program which has CID p 5 0 would get Key~p! 5 0 for any mastermatrix M. An all-zero key is considered a weak key in some encryption

2GF~2! is the single-bit field over $0, 1% with bitwise-XOR as the addition operation andbitwise-AND as the multiplication operation.



algorithms (e.g., DES [1977]), and some encryption algorithms (notablyshift-register based ones) actually produce a ciphertext which is identicalto the plaintext when the key is all zeros. Therefore we may as wellassign the CID p 5 0 to any program that needs to be broadcast in theclear, such as directory listings or the major TV networks’ broadcasts. Wecan then use the value Key~p! 5 0 as a flag to bypass the encryption (ordecryption) algorithm altogether.

—Since we require the master keys to be linearly independent, it isimpossible that a program p Þ 0 would accidentally get a zero key, andthus be broadcast in the clear.

—Since k . n, it is always possible to pick n linearly independent k-bitmaster keys. Indeed, if we pick n keys uniformly at random then theprobability of their being linearly independent is

Pr~master keys are linearly independent! 5 Pi50

n21S1 21

2k2iD $ e21.386/ 2k2n

.

For n 5 32 and k 5 64 this value is ' 1 2 10210. Note, also, that it iseasy to check whether the master keys are linearly independent.

4.4 The Linear Subspace Paradigm

At first sight, the key generation scheme proposed in the previous sectionseems to “leak information.” If Alice knows the keys Key~p1!, Key~p2! ofprograms ~p1! and ~p2! then she can compute Key~p1! Q Key~p2!, which isprecisely the key to the program p1 Q p2 by the linearity of the scheme.

However, this “deficiency” turns out to be the source of the scheme’sflexibility. To see this, we introduce the central paradigm of the Vspacescheme (and the reason for its name), which is

“A user is only allowed to buy an entitlement for a linear subspace of programCIDs.”

So in fact the user Alice does not gain any information she is not entitledto. Since she is entitled to decrypt both p1 and p2, she must have bought(and paid for) a linear subspace U of CIDs which contains both p1 and p2.But U must also contain p1 Q p2 by the definition of a linear subspace.Therefore, if Alice can decrypt both p1 and p2, then the price she paid forthe entitlement already reflects her ability to decrypt p1 Q p2.

An r-dimensional linear subspace over GF~2! contains 2r vectors (CIDs),one of which is 0 (marking plaintext programs). This is the reason whypackages can only contain 1, 3, 7, 15. . . , 2n21 programs.

4.5 Creating the Entitlements and Decryption

Assume that Alice has decided to buy a package of programs which ischaracterized by an r-dimensional linear subspace U of CIDs. Then the

116 • A. Wool


head-end needs to generate an entitlement which will allow Alice todecrypt any program p [ U but nothing else. In Section 4.5.1, we describewhat such an entitlement consists of, and how the head-end can generate it.

An optional part of the entitlement is the check matrix. If the STT hasthe check matrix, it can determine whether a program p is in the decrypt-able space U without going through the whole decryption procedure. Thecheck matrix is described in Section 4.5.2.

4.5.1 The Decryption Procedure. The inputs for the head-end procedurethat generates the decryption data are the master matrix M, and ther-dimensional subspace U. We assume that U is represented by a basis, i.e.,an n 3 r matrix B.

Consider some program p [ U. Since B is a basis for U we can write p asa linear combination of the basis vectors, i.e., there exists an r-dimensionalvector x such that

Bx 5 p. (2)

Given B and p, we need to solve (2) for x. Note that if r , n (i.e., U is notthe space of all programs) then the equation system (2) is over-defined; ithas n equations and r variables. Nevertheless, if p [ U we know a solutionexists. In the next definition we identify the data needed to solve (2) (seeFigure 2).

Definition 1. Let the active indices i1. . . , ir be indices of r rows of Bwhich form a regular r 3 r submatrix B9. Let p9 5 ~ pi1, . . . , pir! be ther-dimensional vector of the corresponding entries in p.

Remark. It is always possible to find r such linearly independent rowssince B is r-dimensional.

PROPOSITION 1. Let B9 and p9 be as before, and let ~B9!21 be the r 3 rinverse of B9. Then

x 5 ~B9!21p9

is the unique solution to the linear system of equations (2) .

B x

B’ =

p

p’

Fig. 2. The linear equation system Bx 5 p. The regular r 3 r submatrix B9 and thecorresponding p9 are shaded.



PROOF. Clearly x is the unique solution to the system of equationsB9x 5 p9 since B9 is regular. Thus, x solves the r equations of (2) corre-sponding to the active indices. However, any solution to the whole system(2) must solve these r equations in particular. Therefore, if (2) has asolution at all, it can only be x. But (2) has a solution since p [ U and B isa basis for U, so x is the required solution. e

The matrix ~B9!21 and the active indices i1, . . . , ir form one part of theentitlement. Another part, which actually contains the secret key data, isthe following matrix K.

Definition 2. Let K be the k 3 r matrix

K 5 MB.

In order to generate the decryption part of the entitlement, the head-endneeds to calculate the matrix K of Definition 4.5.1, the active indicesi1. . . , ir of Definition 4.5.1 and the inverted matrix ~B9!21 of Proposition 1.If these three components are downloaded into the STT then it can decryptany program p [ U using the Decrypt-V procedure of Figure 3.

PROPOSITION 2. Procedure Decrypt-V decrypts a program p correctly ifand only if p [ U.

PROOF. Assume that p [ U. Then using Definition 2 and Proposition 1,and plugging (2) and (1), we have that

Dec 5 Kx 5 MBx 5 Mp 5 Key~p!,

thus the decryption key is correct.For the other direction, assume that p [y U. Then no solution exists for

the linear equation system (2), and in particular the x computed byDecrypt-V is not a solution, i.e., Bx 5 z Þ p for this x. Thus, Decrypt-Vwould generate the key Dec 5 Key~z! which is incorrect for program p. e

Remarks.

—If p [y U, then procedure Decrypt-V generates a valid key Key~z! tosome program z which is different from p. However, z [ U is a linear

Fig. 3. The Decrypt-V procedure.

118 • A. Wool


combination of basis vectors (whereas p is not) so the procedure does notgenerate keys that the user is not entitled to.

—In order to make the decryption more efficient, it is possible merge thesecret components K, ~B ’!21 and i1. . . , ir into a single k 3 n matrix D.In this representation procedure Decrypt-V computes the key by a singlematrix multiplication Dec 4 Dp.

4.5.2 The Check Matrix. For any program p, the Decrypt-V procedure ofthe previous section generates a key and attempts to decrypt the program.However, if p is outside the entitled subspace U, then the key is incorrectand the program will not be decrypted. Thus, the STT cannot distinguishbetween programs that fail to be decrypted due to transmission errors andthose that fail because they are outside the subspace U. This may beundesirable since the STT cannot give the user any meaningful feedbackregarding the cause of the problem.

To amend this situation, the check matrix can be added to the entitle-ment. With this extra information the STT can easily check if the selectedprogram p is in the entitled subspace U or not, without attempting todecrypt it. In the field of error correcting codes [MacWilliams and Sloane1977] such a matrix is known as a parity check matrix.

Definition 3. Let B be a basis matrix for a subspace U. Let B99 be anr 3 n matrix whose active index columns i1. . . , ir contain the columns of~B9!21, and is 0 everywhere else. Let I be the n-dimensional unit matrix.Then the n 3 n check matrix C is

C 5 BB99 2 I.

The test for the decrypt-ability of a program with a CID p is based on thefollowing proposition.

PROPOSITION 3. Cp 5 0 if and only if p [ U.

PROOF. If p [ U then it is easy to see that x 5 B99p is the solution tothe linear system of equations (2). Therefore by linearity we have that

Cp 5 BB99p 2 Ip 5 Bx 2 p 5 0.

Conversely, if p [y U then Bx Þ p for all x, and in particular Bx 2 p Þ 0for x 5 B99p. e

Remark. If the entitled subspace U is the space of all CIDs, then anybasis matrix B is an n-dimensional regular matrix in itself, and thusB99 5 B21 and BB99 5 I. So the check matrix C becomes all zero and thetest of Proposition 3 always succeeds, as expected.



5. HOW TO ASSIGN CIDS TO THE PROGRAMS

For the Vspace scheme to be useful, the CIDs cannot be assigned toprograms arbitrarily. Care must be taken so that the CIDs of programswith related content fit into low dimensional linear subspaces. In thissection we present one systematic method of assigning CIDs to programswhich achieves this goal.

5.1 The Topic Hierarchy

We assume that the programs can be naturally organized in a hierarchyaccording to attributes such as their subject, language, rating, source, etc.We call this hierarchy (or tree) the topic hierarchy.

We assign CIDs to programs in the hierarchy using the notion of prefixmasks. Procedure MakeMasks of Figure 4(i) recursively assigns the prefixmasks by labeling the topics from the root towards the leaves. The prefixmask of every topic is its own label concatenated to the mask of its parent,or equivalently, its own label concatenated to the labels of all its ancestors.An example of a part of a topic hierarchy with the masks generated by theMakeMasks procedure appears in Figure 4(ii).

Remarks.

—A label may be longer than the minimal number of bits required forlabeling all the subtopics. For instance, consider a topic X at the lowestlevel of the tree, whose subtopics are individual programs. If the cumu-lative length of X ’s mask is m bits then we may assign all the remaining

Fig. 4. The MakeMasks procedure (i), and the masks it assigns to a topic hierarchy (ii). Thedecimal numbers next to the topics represent their mask values, and the label lengths appearin brackets. Thus the prefix mask for “2.2.1 Professional Basketball” consists of the nine bits10 00010 01.

120 • A. Wool


n 2 m bits for subtopic (i.e., program) labels, even if there are fewerthan 2n2m such programs.

—The labels given to subtopics need not be consecutive. It may sometimesbe beneficial to leave some labels unused.

—The top level topic with label 0, which is called “Bonus” in Figure 4(ii),has a special role. The reason for this will become clear in the nextsection, when we see how to generate a basis from the prefix masks.Informally, users who buy some package like “all the sports programs”will also be entitled to some of the programs appearing in the Bonushierarchy.

5.2 Computing a Basis from the Prefix Masks

5.2.1 Single-Topic Packages. We start by addressing the case of apackage which contains all the programs in some topic X. Then the labelingdone by procedure MakeMasks is such that the CIDs of all these programsshare the same prefix mask, which is the mask assigned to topic X itself. Soour goal here is to show how to generate a basis for a package of CIDssharing a prefix m. Formally,

Definition 4. Let m be an m-bit mask. Then Um 5 $m\*% is the packageof all CIDs with the prefix m.

Note that in general such a set Um of CIDs sharing a prefix m is not alinear subspace. This may be easily seen from the fact 0 [y Um. However,when we extend Um to include some “bonus” programs, then the extendedpackage becomes a linear subspace. So when Bob buys a package of “all thesports programs,” his entitlement will also give him access to certain bonusCIDs. For a package with a mask m of length m the bonus CIDs are thosefor which the m most significant bits are zero. Formally,

Definition 5. Let m Þ 0 be an m-bit mask, and let 0m be a string of m0–bits. Then the bonus-extended package with prefix m is Um 5 $mi*% ø

$0mi*%, and programs with a CID of the form 0mi* are called bonusprograms.

Definition 6 gives an explicit construction of a basis Bm for a bonus-extended package Um. Then, in Proposition 4, we prove that Span~Bm! 5

Um. By this, we show that Um is indeed a linear subspace, and thatDefinition 6 gives us a simple method of constructing a basis for it.Moreover, the proof also shows that the entitlement for a package with aprefix m gives access precisely to the set Um and its bonuses, and to nothingelse.

Definition 6. Let m Þ 0 be an m-bit mask. Let e1, . . . , en denote thestandard basis where ei has a 1–bit in position i. Define the enabling vector



z to have m as its prefix followed by ~n 2 m! 0–bits, ie., z 5 mi0n2m.Define the basis Bm to be

Bm 5 $z, em11, . . . , en%.

Remark. In this section,, we view the basis Bm as a set of vectors ratherthan as a matrix. The corresponding n 3 ~n 2 m 1 1! basis matrix hasthe vectors z, em11, . . . , en as its columns.

PROPOSITION 4. Span~Bm! 5 Um, thus Um is a linear subspace of dimen-sion n 2 m 1 1 and Bm is a basis for it.

PROOF. Clearly the linear combinations of the standard vectors em11,. . . , en span every vector of the form 0mi*, so Bm spans all the bonusprograms.

Now the enabling vector z has 1-bits only in the m most significant bits,which comprise the mask m. Any bit pattern in the lower n 2 m bits can bewritten as a linear combination of the standard vectors em11, . . . , en.Hence, every CID p of the form mi* can be written as a combination of z

and some standard vectors. We conclude that Um # Span~Bm!.For the other direction, consider some linear combination p of vectors in

Bm. Then the m-bit prefix of p is either m (if the combination includes the

enabling vector z) or 0m (if z is not included). Thus, Um $ Span~Bm!.

The vectors in Bm are clearly independent, so the dimension of Um isn 2 m 1 1. e

Remarks.

—The mask length of a topic is not determined by the position of therightmost 1-bit in the mask, but rather by the length of the labelsassigned to the topic hierarchy. In the example of Figure 4(ii), the ‘‘2.2Basketball’’ package has a 7-bit mask 10˜00010, while the ‘‘2.2.0 CollegeBasketball’’ package has a 9-bit mask 10˜00010˜00, and both these maskslead to an identical enabling vector. However, the bases for the twopackages differ in the standard vectors they contain; the ‘‘College Basket-ball’’ basis is ~n 2 8!-dimensional and does not contain e8 and e9.

—Programs placed in the bonus hierarchy are shared by many packages. Apackage characterized by any prefix mask of m bits also contains thebonus CIDs of the form 0mi*. The bonuses added to a package dependonly on the length of the package’s prefix mask. Therefore, we may speakof ‘‘m-bit bonuses’’, which contain all the bonus CIDs whose prefix is atleast m-bits.

—If there is no need for bonus programs, it is always possible not to useCIDs from the bonus hierarchy at all. Then the only cases in which two

122 • A. Wool


packages share some programs (other than plaintext programs with CIDp 5 0) is if one package contains the other.

5.2.2 Multi-Topic Packages. So far we have seen how to create a basisfor a package of the form ‘‘all the programs which belong to topic X.’’ Thecase of a package which is the union of several topics is similar, with somelimitations.

Suppose Alice wants to buy all the programs belonging to topics X1, . . . , Xt

with masks m1, . . . , m t. We start by generating the t corresponding basesBm1, . . . , Bmt, as in Definition 6. Then we build a new basis B by repeatedlyincluding the next vector from Bm1 ø . . . ø Bmt which is independent of allthe vectors already in B. Checking if a vector p is independent of thevectors currently in B can be done by solving a system of linear equations[Birkhoff and MacLane 1977]. It is not difficult to see that the basis Bgenerated in this manner does indeed span all the programs belonging tothe requested topics.

However, there may be side-effects to this procedure. This is since, ingeneral, the union of linear subspaces is not a linear subspace. Thecomputed basis B is the basis of a linear subspace that contains all therequested topics, and parts of the bonus hierarchy, but it may also containother (unrequested) parts of the topic hierarchy.

Therefore, there can be two different approaches to using the topichierarchy. The simpler but more restrictive approach is to offer onlypackages which correspond to a single topic in the hierarchy, and avoid thecomplexities of possible side-effects. The second approach is to let userschoose several topics in the hierarchy, and to have the system compute thesubspace of programs that would actually be accessible with all theside-effects. The users then need to be informed of what they would reallybe getting (and paying for).

6. THE TREE SCHEME

The next scheme we present, called the Tree scheme, was suggested byDaniel Bleichenbacher [Bleichenbacher 1998]. Its basic structure is that ofthe construction of a pseudorandom function due to Goldreich et al. [1986].An arbitrary pseudorandom function would not necessarily allow a serviceprovider to flexibly package programs using very small entitlements.However, we show that the particular construction of Goldreich et al.[1986] gives us precisely the properties we need—with the added benefit ofsecurity proofs.

As in the Vspace scheme, the scheme only requires attaching a singlen-bit CID to each program’ broadcast. The encryption key for a program is afunction of its CID and of secret information stored at the head-end. EachSTT stores secret information which allows it to compute the keys to all theprograms it is entitled to, and to nothing else. And as in the Vspacescheme, the Tree scheme requires that CIDs be assigned carefully so thatmeaningful packages will have small entitlements.



6.1 The Basic Scheme

To make this paper self-contained, we include a description of the [Gold-reich et al. 1986] construction, using the terminology of the application wehave in mind. The main building block of the scheme is a cryptographicallysecure, length-doubling, hash function

H : $0, 1%k 3 $0, 1%2k,

where, as before, k is the encryption key length. For convenience, weconsider the image of H to be a pair of k-bit values, which we denote byH~x! 5 ^H0~x!, H1~x!&. We call H0 the left half of H, and call H1 the righthalf. For instance, when k 5 160, H could be defined by using SHA-1[SHA 1995] as H~x! 5 ^SHA-1~x\0!, SHA-1~x\1!&, where 0 and 1 areall-zero and all-one bit strings, respectively.

The scheme has a single k-bit master key, denoted by m. Let the bits ofCID p be denoted by p 5 ~ p1, . . . , pn!. Then the encryption key for aprogram with CID p is defined to be

Key~p! 5 Hpn~. . . Hp2~Hp1~m!!. . . !. (3)

Alternatively, we can describe this computation in terms of a full n-levelbinary tree T, which we call the key tree. A left edge in the key tree islabeled by 0 and a right edge is labeled by 1, and the programs correspondto the leaves. We say that the label of a node u [ T is the concatenation ofthe labels on the edges on the path from the root to u. Thus we can identifythe nodes’ labels with CIDs. We use T~u! to denote the subtree rooted atnode u, or equivalently, to denote the set of program CIDs corresponding toleaves in u ’s subtree.

We now place the master key m at the root of the tree. We compute thekeys for all the other nodes recursively by using the left or right half of H,depending on whether we follow a left or right edge. In particular, thisprocess computes all the program keys as in (3). However, it also allows usto talk about the key at an internal tree node u, which we denote byKey~u!.

In Goldreich et al. [1986] the authors prove that if the function H is apseudorandom bit generator, then the mapping Key~p! : $0, 1%n 3 $0, 1%k,parameterized by the master key m, is a pseudorandom function. See theoriginal paper, or the book [Luby 1996], for precise definitions and proofs.

6.2 Packages and Entitlements in the Tree Scheme

To be useful for our purposes, we need to show how to create smallentitlements for many sets of programs, both small and large, using theTree scheme.

Observe that given Key~u! of an internal node u at depth u, with a(partial) CID ~u1, . . . , ur!, it is easy to compute the keys of any program p

124 • A. Wool


in u’s subtree T~u!, i.e., any program with a CID of the form p 5 ui*. Thisis done by activating H n 2 r times and taking the left or right half eachtime, as dictated by the low order bits of p. Thus Key~u! can serve as anentitlement for all the programs in T~u!.

From this observation, we can see how the program packaging is done.Let S be a collection of programs (the target set) that needs to be packaged.We first find a minimal set of tree nodes whose subtrees precisely cover thetarget S. Formally,

T~S! 5 Z # T such that øueZ

T~u! 5 S, and ?Z? is minimal. (4)

The entitlement for the package S is the set of keys held at the nodes ofT~S!. As we observed above, this set of keys allows the STT to decryptexactly the programs in S but nothing else.

Note that, in principle, the Tree scheme can create an entitlement for anyarbitrary target set S. This is in contrast to the Vspace scheme, where onlypackages of specific sizes were at all possible. Nevertheless, if CIDs areassigned arbitrarily then the Tree entitlements may become prohibitivelylarge for the limited secure memory of the STTs.

6.3 Computing the Entitlements

There is an simple algorithm which computes the cover T~S! of (4) for anygiven target set S. The algorithm first decomposes the set S into maximaldisjoint intervals of consecutive CIDs,3 and then finds a cover for eachinterval. Let I~S! denote the number of intervals in S. It is easy to see thatcomputing a cover for a single interval of CIDs requires visiting O~n! treenodes in a key tree of depth n, so the algorithm’s time complexity isO~I~S!n!.

The size of the entitlement for a package similarly depends on thenumber of intervals of consecutive CIDs in S, and on the tree depth n. Thisis since the number of nodes in the minimal cover for a single interval isalso O~n! (in fact 2n nodes always suffice). We summarize this discussionby following result, which we state without proof:

PROPOSITION 5. Let T be a key tree of depth n. Then the minimal coverT~S! can be computed in time O~I~S!n!, and its size is O~I~S!n!

The algorithm is efficient only as long as T~S! is polynomial in n. Thus apackage of ‘‘all CIDs with least significant bit51’’ would need an entitle-ment of 2n21 keys, which is quite unrealistic to compute, let alone to storein an STT, unless n is very small. In a realistic scenario, the entitlementsize would be limited to some small number of keys, and hence the service

3 We say that CIDs p1 and p2 are consecutive if the integers whose binary representations arep1 and p2 are consecutive.



provider would not be able to package every arbitrary subset of programs.We quantify this observation in Section 8.

Therefore, as in the Vspace scheme, care must be taken so programs withrelated content are assigned CIDs that allow them to be packaged effi-ciently. Conveniently, the Tree scheme perfectly matches the topic hierar-chy and CID assignment we discussed in Section 5.1, where basic packagesare of the form ‘‘all CIDs with a bit prefix m.’’ An entitlement for such asingle-topic package is a single key in the Tree scheme. Moreover, multi-topic packages can be assembled with no side-effects: The entitlement issimply the set of keys for the individual topics that comprise the multitopicpackage. And we can do away with the restrictions of the ‘‘bonus’’ hierar-chy: Unlike Vspace packages, a Tree package defined by a prefix m does notallow the STT to decrypt programs with a 0 prefix of the same length.

6.4 Comparison with the Vspace Scheme

In many ways, the Tree scheme is superior to the Vspace scheme:

—Like Vspace, it only uses a single CID field in the broadcast.

—The Tree scheme is at least as flexible than the Vspace scheme (seeSection 8), and the possible packages are easier to understand since thereare no ‘‘side effects.’’

—The Tree scheme does not have any vulnerable linear structure.

—Security properties can be proven for it under suitable cryptographicassumptions.

In fact, the only aspect in which the Tree scheme is inferior to the Vspacescheme is in its CPU efficiency: For n-bit CIDs and k-bit keys, an STTusing the Vspace scheme needs O~n! XOR operations of k-bit words tocompute a key, whereas an STT using the Tree scheme needs to performO~n! hash function computations on k-bit values to compute the same key.This may or may not be a substantial drawback of the Tree scheme,depending on the processing power of the STT, the function H, and thevalue of n.

6.5 Variants and Remarks

—The basic tree scheme uses a binary tree, with left and right edgeslabeled by individual bits of the CID. A possible variation is to use widertrees, with edge selection governed by several bits at once. Instead of thebasic construction of Goldreich et al. [1986], we could use other pseudo-random-function constructions, such as Hall et al. [1998]. For instance, anode could have 2c children, and instead of the two hash functions H0

and H1 we would use 2c hash functions, which would be indexed byblocks of c consecutive bits in the CID. In fact, the number of children anode has can vary with the tree level at which it is located, e.g., top levelsof the tree would be binary, and the lower levels would be wider. The

126 • A. Wool


advantage of wider trees is that they are also shallower, thus reducingthe number of hash function calls necessary for the computation of aprogram key. The disadvantage of this approach is that it limits theflexibility of the scheme: In the extreme, a single-level tree with 2n

children implies that the user can either buy a package of all programs,or packages made up of individual program keys, which defeats the wholepurpose of a package. Thus there is a tradeoff between the efficiency ofkey computation, and the flexibility of the scheme.

—A construction similar to the Tree scheme has recently been suggestedfor applications in which the provider sells access to a multicast forpredefined periods of time [Briscoe 1999]. From our perspective, thesuggested construction is a special case of the general Tree scheme, inwhich a package is constrained to be a range of consecutive CIDs.

7. THE SECURITY OF THE SCHEMES

When we consider the security of our key management schemes, there aretwo models of attack that need to be addressed. In the more optimisticmodel, the secret information is stored in a truly tamper-proof chip insidethe STT. Therefore a pirate can only mount an attack using the transmis-sion itself. This model of attack is discussed in Section 7.1.

However, experience shows that pirates are very successful in breakinginto such ‘‘tamper-proof’’ STTs. In fact only a handful of the successfulattacks described in McCormac [1996] can be classified as crypt-analyticalattacks, and only against analog equivalents of simple substitution ciphers.All the rest exploit breaches in the ‘‘secure’’ chip. Therefore in Section 7.2 wediscuss the consequences of the pirates’ ability to break into the secure chip.

7.1 Tamper-Proof Set-Top Terminals

If the STT contains truly secure memory, then our main concern is toprotect against known-plaintext attacks. We argue that chosen-plaintextattacks are less likely since they would require a pirate to cause theencryption and broadcast of specific content, and such activities may benoticeable. On the other hand, it is reasonable to assume that a piratewould have access to unencrypted versions of programs, from sources suchas video libraries or TV reruns. Thus, the encryption algorithm used toencrypt the programs must be resistant to known-plaintext attacks. Inaddition, the decryption algorithm must be efficient enough to supportreal-time video decoding.

7.1.1 The ExtHeader Scheme. Here the pirate can also mount an attackagainst the covering algorithm, used to encrypt the program keys. Theheaders data attached to the programs contains: (a) Multiple encryptions ofthe same program key Kp with different package keys, and (b) multipleencryptions of different program keys with the same package key.

Therefore a stream cipher whose basic operation is an XOR with a pseudorandom string seems to be unsuitable as a covering algorithm. This is



because the pirate would be able to obtain either XORs of program keys, orXORs of the pseudo random strings by XORing together various encryptions.A candidate for the covering algorithm may be Triple-DES [ANSI 1985].

Besides choosing a good covering algorithm, another measure we cantake is to pad the program keys with random strings, and then cover thepadded key. This would increase the header size in proportion to the lengthof the padding. However, problem (a) then becomes a smaller concern sinceeach header block of a program p would cover Kp padded with differentrandom string.

7.1.2 The Vspace Scheme. Here our concern is that the pirates mayexploit the linearity of the scheme. If the program encryption preserves thelinearity of the key management, then a pirate may be able to track theinfluence of each bit of Key~p! on the encrypted program. Then using aknown-plaintext attack, the pirate may be able to write linear equationswith the key bits as variables. If k such equations are collected, then thesystem of equations can be solved and Key~p! can be found. If r programkeys are broken, for programs with linearly independent CIDs, then thepirate can decrypt a subspace of programs of dimension 2r essentially byusing procedure Decrypt-V of Figure 3. Thus every program can be de-crypted if the keys of n linearly independent programs are broken.

Therefore, we must ensure that the encryption algorithm does notpreserve linearity. For this reason, algorithms based on linear feedbackshift registers (cf. Golomb [1967]) may not be good choices. Algorithmsbased on the discrete log problem (cf. Odlyzko [1985]) may be inappropriateas well, since in some sense the linearity is preserved in the exponents,namely gagb 5 ga1b.

Engineering practices may be such that the system is designed in amodular way and the choice of video encryption algorithm is made indepen-dently from the choice of the key management scheme. If this is the case,the key management scheme should not output Key~p! 5 Mp as the keyfor program p, since the video encryption algorithm may preserve somelinearity. Rather, the encryption key should be h~Key~p!! where h~x! is acryptographically strong hash function that destroys linearity. Practicalchoices may be MD5 [Rivest 1992] or SHA-1 [SHA 1995]. By this thelinearity is destroyed before the key is used in the fast video encryptionalgorithm. This is also important in order to prevent pirates who buy apackage which is a subspace of dimension r from learning all the keys inthe subspace by extracting only r keys from the secure module (i.e., inorder to build a pirate decoder they would need to break into the securememory).

7.1.3 The Tree Scheme. If we assume that the hash function H is apseudorandom bit generator, then Key~p! is provably a pseudorandomfunction [Goldreich et al. 1986]. So if the actual function H is cryptograph-ically strong, then the encryption keys would be unpredictable. Thus, if the

128 • A. Wool


pirate only has access to the encrypted program broadcast, the knowledgethat the keys were generated using the Tree scheme does not seem to helpin breaking the encryption. So essentially the only concern we have is toensure that the video encryption algorithm is able to withstand knownplaintext attacks.

7.2 When the “Tamper-Proof” Chip is Compromised

If the pirates are able to break into the secure memory of an STT, thenclearly the security of the system is breached. We may assume that if thepirates break into Alice’s STT then they learn all the secrets stored in thatSTT, and in particular they can decrypt all the programs that Alice isentitled to.4 Our specific concern here is to ensure that the pirates will notbe able to decrypt programs that Alice is not entitled to.

7.2.1 The ExtHeader Scheme. In the ExtHeader scheme, knowledge ofsome package keys in itself does not help in breaking another package key,since these keys are chosen completely independently of each other. How-ever, if the pirates know a key si of some package i then they can mount aknown-plaintext attack on the covering algorithm. If some program pbelongs to the exposed package i then the pirates can now uncover its keyKp. This Kp becomes the plaintext that is covered by the key of every otherpackage that p belongs to. So in addition to the requirements mentioned inSection 7.1.1, we also need to ensure that the covering algorithm isresistant to known-plaintext attacks.

7.2.2 The Vspace Scheme. In the Vspace scheme, the situation is mar-ginally more delicate when an STT is compromised. If Alice is entitled to asubspace of programs of dimension r, then her key matrix K is of dimensionk 3 r. If the pirates learn this K, this knowledge is equivalent to knowingr of the master keys (r columns of M). Knowing r master keys can help thepirate in obtaining keys to a program p that Alice is not entitled to,however, the pirate’s advantage is negligible.

If Alice is not entitled to p, then Key~p! is a linear combination of masterkeys, at least one of which is unknown to the pirate. However, since themaster keys are chosen so they are linearly independent (recall Section4.3), the size of the enumeration space for Key~p! is slightly smaller: 2k22r.The pirate is in the best situation if r 5 n 2 1 (only one master key ismissing): Then the enumeration space is of size 2k22n21, and if k .. n(say k 5 2n) then the 2n21 term is negligible. Thus, we see that the systemsecurity is essentially intact despite the break-in.

If the pirates are able to break into other STTs that are entitled todifferent subspaces, then they may collect more master keys. Then, the

4Several measures are suggested in the Lucent IVES TM architecture [Cohen et al. 1995] toqualify this statement. For instance, if the entitlements are stored encrypted, using anencryption function specific to each individual STT, then simply copying the entitlement of oneSTT to another would be insufficient to clone the first one.



subspace of programs they would be able to decrypt would be larger thanthe union of the broken STTs’ entitlements. Note that in any key manage-ment scheme, if the pirates manage to break into STTs of users whotogether are entitled to all the programs then the pirates too can decryptall the programs. The difference is that in the Vspace scheme the piratesneed only to break into STTs of users whose entitlement bases togethercontain n linearly independent vectors.

7.2.3 The Tree Scheme. As before, if H is assumed to be pseudorandom,then a pirate who knows Key~p! provably has a negligible probability ofsuccessfully computing a key for any program outside u’s subtree. However,for a concrete realization of H, we need to be concerned about two properties.

One obviously required property is that it is hard to compute the input xgiven half of the image H0~x! or H1~x!. This certainly holds for anycryptographic hash H, which is hard to invert even when both halves of theimage are known.

The second property H needs to have is that it is hard to compute H0~x!even when H1~x! is known, and vice versa. In principle, it may be easier tocomplete a missing half-key when the other half is known, even if thefunction H is hard to invert. If this is the case, then a pirate who knowsKey~u! for some node u may be able to compute the key to u’s sibling v,and then to all the programs in v’s subtree T~v!.

An advantage of the Tree scheme is that it makes merging piratedentitlements inefficient. Consider a pair of sibling programs p1 and p2, andtheir parent u. Suppose that the pirate knows both Key~p1! and Key~p2!,which are the two halves of H~Key~u!!. The pirate still cannot invert Hand compute Key~u! since H is a cryptographic hash function. Thus, themerged pirated entitlement would have to contain both Key~p1! andKey~p2!, rather than the more compact Key~u!. So breaking into multipleSTTs with cheap but different entitlements is not a good strategy for thepirate. The combined entitlement will be very large.

8. THE ADDRESSING POWER OF THE SCHEMES

The addressing power ~AP! of a key management scheme is the number ofdifferent packages of programs that the service provider can offer. Thisnumber should be parameterized by the number of secret bits stored in theSTT (assuming the scheme does not add header information to the broad-cast). If a scheme X needs b secret bits stored at the STT, then the best wecould hope for is the ability to offer 2b different packages, i.e., AP~X ! 5 2b.

8.1 The Vspace Scheme

In the Vspace scheme, the STT stores kn bits, thus we could hope for anaddressing power of AP~Vspace! 5 2kn. Clearly, not every possible settingof the secret bits is valid since the user is only allowed to buy linear

130 • A. Wool


subspaces of programs. Nevertheless, we show that the number of packagesa user can choose from is close to the maximal value. The next propositionshows that AP~Vspace! 5 2Q~n2!, which is optimal (up to constants in theexponent) when k and n are of the same order of magnitude.

PROPOSITION 6. AP~Vspace! 5 2 ~11o~1!!n2/4.

PROOF. The number of d-dimensional linear subspaces in ann-dimensional vector space over a field of 2 elements is called the Gaussianbinomial coefficient and is denoted by F n

dG . In Goldman and Rota [1969] andMacWilliams and Sloane [1977, pp. 443–445], it is shown that

FndG 5

~2n21!~2n2121!. . . ~2n2d1121!

~2d21!~2d2121!. . . ~2 2 1!.

For the upper bound, note that the Gaussian coefficient is maximized whend 5 n / 2,

AP~Vspace! 5 Od51

n FndG # nF n

n /2G

Since for any 2 # s # n we have ~2n21! / ~2s21! # ~2n2121! / ~2s2121!,we obtain that

nF n

n /2G 5 n

~2n21!~2n2121!. . . ~2n/ 21121!

~2n/ 221!~2n/ 22121!. . . ~2 2 1!

# n~2n/ 21121!n/ 2 # 2n2/41n/ 21log n.

For the lower bound, note that for n $ 2 and s , n / 2 we have that~2n2s21! / ~2n/ 22s21! $ 2n/ 22121. Therefore

AP~Vspace! 5 Od51

n FndG $ F n

n /2G $ ~2n/ 22121!n/ 2 $ 2n2/42n. e

8.2 The Tree Scheme

In principle, any arbitrary subset of programs can comprise a package inthe Tree scheme. However, the entitlement size would be huge. Thereforewe are interested in the addressing power of the Tree scheme whenentitlements are limited to only d keys, i.e., the STT stores kd bits of secretinformation. So the best we can hope for is AP~Tree! 5 2kd. The nextproposition shows that the number of packages a user can choose from is aclose 2Q~nd!, which is optimal (up to constants in the exponent) when k andn are of the same order of magnitude.



PROPOSITION 7. AP~Tree! 5 2 ~11o~1!!nd.

PROOF. For a lower bound, note that the Tree scheme can package anysubset of d individual programs, so

AP~Tree! $ S2n

d D $ S2n

d Dd

5 2nd2dlog d1d.

For an upper bound, note that a tree of depth n, with 2n leaves, has a totalof 2n1121 nodes. Any subset of nodes corresponds to a possible entitlement(with some packages counted multiple times). Therefore

AP~Tree! # S2n11

d D # ~2n11!d 5 2nd1d. e

If d 5 n, then we see that AP~Tree! 5 2Q~n2! 5 AP~Vspace!. Thus, Treeand Vspace have essentially the same addressing power when the entitle-ment sizes are equal. However, in the Tree scheme, we can have d . n,which is meaningless in the Vspace scheme since the dimension of thevector space is n. Thus, Tree has more addressing power since it can utilizelarger entitlements.

9. CONCLUSIONS AND FUTURE WORK

We have seen that the “straw-man” ExtHeader scheme has excellentflexibility, at the cost of extra header data that needs to be transmitted.The Vspace scheme requires essentially no additional headers and stillenjoys high flexibility and superb efficiency at the STT, however, carefuldesign decisions must be made to ensure the security of the system. TheTree system is more flexible, more secure, and less restrictive in its design,however, it requires somewhat more CPU power from the STT. All theschemes are practical, and offer better capabilities than schemes in currentuse.

An important aspect of smart-card based systems is their ability tosupport “impulse buying” of pay-per-view events by storing some digitalcash on the smart-card, and deducting from it when the user decides toview a program. We would like to offer this feature without requiring acallback to the head-end to obtain a new key. Is it possible to allow suchimpulse buying while maintaining the desirable property that keys towhich the user is not entitled are not stored in the STT?

ACKNOWLEDGMENTS

I am grateful to Dan Heer for introducing me to the problems of broadcastencryption, and to Peter Winkler for encouraging me to work on them.Daniel Bleichenbacher made numerous suggestions about the crypto-graphic properties of these systems, and suggested the Tree scheme.Shimon Even brought Gaussian coefficients to my attention. Remarks

132 • A. Wool


made by Avi Silberschatz led to the idea of caching headers in theExtHeader scheme. I thank Amos Fiat and several anonymous refereeswhose comments helped me improve the presentation.

REFERENCES

ABDALLA, M., SHAVITT, Y., AND WOOL, A. 2000. Key management for restricted multicast usingbroadcast encryption. IEEE/ACM Trans. Netw. 8, 4, 443–454.

AIELLO, W., RAJAGOPALAN, S., AND VENKATESAN, R. 1995. Design of practical and provably goodrandom number generators. In Proceedings of the Sixth Annual ACM-SIAM Symposium onDiscrete Algorithms (San Francisco, CA, Jan.). ACM Press, New York, NY, 1–9.

ANDERSON, R. AND KUHN, M. 1997. Low cost attacks on tamper resistant devices. InProceedings of the International Workshop on Security Protocols (Cambridge, U.K.,Apr.). Springer-Verlag, New York, NY, 125–136.

ANSI. 1985. ANSI X9.17 (revised), American National Standard for Financial Institution KeyManagement (Wholesale). ANSI, New York, NY.

BERKOVITS, S. 1991. How to broadcast a secret. In Proceedings of the Conference on Advancesin Cryptology: Lecture Notes in Computer Science (EUROCRYPT’91), D. W. Davies, Ed., vol.547. Springer-Verlag, New York, NY, 535–541.

BIRKHOFF, G. AND MAC LANE, S. 1977. A Survey of Modern Algebra. 4th ed. MacmillanPublishing Co., Inc., Indianapolis, IN.

BLEICHENBACHER, D. 1998. Personal communication.BLUNDO, C. AND CRESTI, A. 1995. Space requirements for broadcast encryption. In Advances

in Cryptology—EUROCRYPT’94, A. D. Santis, Ed. Springer-Verlag, New York, NY,287–298.

BLUNDO, C., FROTA MATTOS, L. A., AND STINSON, D. R. 1998. Generalized Beimal-Chor schemesfor broadcast encryption and interactive key distribution. Theor. Comput. Sci. 200, 1-2,313–334.

BRISCOE, B. 1999. MARKS: Zero side-effect multicast key management using arbitrarilyrevealed key sequences. In Proceedings of 1st International Workshop on Networked GroupCommunication (NGC’99, Pisa, Italy, Nov.), L. Rizzo and S. Fdida, Eds. Springer-Verlag,New York, NY.

CHICK, G. C. AND TAVARES, S. E. 1989. Flexible access control with master keys. InProceedings of the Conference on Advances in Cryptology (EUROCRYPT ’89), G. Brassard,Ed. Springer-Verlag, New York, NY, 316–322.

CHIOU, G.-H. AND CHEN, W.-T. 1989. Secure broadcasting using the secure lock. IEEE Trans.Softw. Eng. 15, 8 (Aug.), 929–934.

COHEN, J., FAUCHER, D. W., ETZEL, M .., AND HEER, D. N. 1995. Security for broadband digitalnetworks. Commun. Tech., 58–69.

DES U.S. DEPARTMENT OF COMMERCE. 1977. Data encryption standard. National Bureau ofStandards. NBS FIPS PUB 46.

DIR. 1998. The high-tech behind broadcasting DirecTV. http://www.directv.com/ hardware/tech.html

FIAT, A. AND NAOR, M. 1994. Broadcast encryption. In Proceedings of the 13th AnnualInternational Cryptology Conference on Advances in Cryptology (CRYPTO ’93, Santa Bar-bara, CA, Aug. 22–26, 1993), D. R. Stinson, Ed. Springer Lecture Notes in ComputerScience. Springer-Verlag, New York, NY, 480–491.

FISCHER, J.-B. AND STERN, J. 1996. An efficient pseudo-random generator provably as secureas syndrome decoding. In Proceedings of the 16th Annual International Conference onAdvances in Cryptology (CRYPTO ’96, Santa Barbara, CA, Aug.), N. Koblitz,Ed. Springer-Verlag, New York, NY, 245–255.

FORT. 1998. Fortify for Netscape. http://www.fortify.net.GABBER, E. AND WOOL, A. 1999. On location-restricted services. IEEE Network 13, 6

(Nov/Dec), 44–52.GARAY, J. A., STADDON, J., AND WOOL, A. 2000. Long-lived broadcast encryption. In

Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology:



Lecture Notes in Computer Science (CRYPTO ’00), vol. 1880. Springer-Verlag, New York,NY, 333–352.

GEM. 1998. Gemplus: Catalog of products and services. http://www.gemplus.com/global_offer/index.htm

GOLDMAN, J. AND ROTA, G. -C. 1969. The number of subspaces of a vector space. In RecentProgress in Combinatorics, W. Tuttle, Ed. Academic Press, Inc., New York, NY, 75–83.

GOLDREICH, O., GOLDWASSER, S., AND MICALI, S. 1986. How to construct random functions. J.ACM 33, 4 (Oct.), 792–807.

GOLOMB, S. W. 1967. Shift Register Sequences. Holden-Day, Inc., San Francisco, CA.GONG, L. 1994. New protocols for third-party-based authentication and secure broadcast. In

Proceedings of the 2nd ACM Conference on Computer and Communications Security (Fair-fax, VA, Nov. 2–4), D. Denning, R. Pyle, R. Ganesan, and R. Sandhu, Chairs. ACM Press,New York, NY, 176–183.

HALEVI, S. AND PETRANK, E. 1995. Storing classified files. ftp://theory.lcs.mit.edu/ pub/people/shaih/classify.ps.gz.

HALL, C., WAGNER, D., KELSEY, J., AND SCHNEIER, B. 1998. Building PRFs from PRPs. InAdvances in Cryptology—CRYPTO ’98, H. Krawczyk, Ed. Springer-Verlag, New York, NY,370–389.

IMPAGLIAZZO, R. AND NAOR, M. 1989. Efficient cryptographic schemes as secure as subsetsum. In Proceedings of the 30th IEEE Symposium on Foundations of Computer Science(FOCS ’89, Research Triangle Park, NC, Oct. 30–Nov. 1). IEEE Computer Society Press,Los Alamitos, CA, 236–241.

LUBY, M. 1996. Pseudorandomness and Cryptographic Applications. Princeton UniversityPress, Princeton, NJ.

LUBY, M. AND STADDON, J. 1998. Combinatorial bounds for broadcast encryption. InProceedings of the Workshop on Advances in Cryptology: Lecture Notes in Computer Science(EUROCRYPT ’98, Espoo, Finland), K. Nyberg, Ed., vol. 1403. Springer-Verlag, New York,NY, 512–526.

MACQ, D. M. AND QUISQUATER, J.-J. 1995. Cryptology for digital TV broadcasting. Proc. IEEE83, 6, 944–957.

MACWILLIAMS, F. J. AND SLOANE, N. 1977. The Theory of Error Correcting Codes.North-Holland Publishing Co., Amsterdam, The Netherlands.

MCCORMAC, J. 1996. European Scrambling Systems 5. Waterford University Press.MOYER, M. J., RAO, J. R., AND ROHATGI, P. 1999. A survey of security issues in multicast

communications. IEEE Network 13, 6 (Nov/Dec), 12–23.MPEG2. 1994. MPEG-2: Coding of moving pictures and associated audio. ISO/IEC CD

13818-1.ODLYZKO, A. M. 1985. Discrete logarithms in finite fields and their cryptographic

significance. In Proc. of the EUROCRYPT 84 workshop on Advances in cryptology: theoryand application of cryptographic techniques (Paris, France, Apr. 9-11, 1984), T Beth, N Cot,and I Ingemarsson, Eds. Springer-Verlag, New York, NY, 224–314.

QUISQUATER, J.-J. 1998. Personal communication.RIVEST, R. 1992. The MD5 message-digest algorithm. MIT Laboratory for Computer Science,

Cambridge, MA.RIVEST, R., SHAMIR, A., AND ADELMAN, L. 1978. A method for obtaining digital signatures and

public-key cryptosystems. Commun. ACM 21, 2 (Feb.), 120–126.SCHNEIER, B. 1996. Applied Cryptography: Protocols, Algorithms, and Source Code in C. 2nd

ed. John Wiley and Sons, Inc., New York, NY.SHA AND NIST. 1995. NIST FIPS PUB 180-1, Secure Hash Standard. National Institute of

Standards and Technology, Gaithersburg, MD.SHAMIR, A. 1998. Personal communication.

Received: January 1999; revised: April 2000; accepted: April 2000

134 • A. Wool


Documents

Key Management for Encrypted Broadcastyash/p107-wool.pdf · NJ 07974; email: [email protected]. Permission to make digital/hard copy of part or all of this work for personal